PyPI is the Python Package Index. Its purpose is to help Python developers find and install software developed by the Python community.

I recently built my first Python package, patter, and released it publicly via PyPI. I ran into a few hiccups along the way, so I am writing this post to help those in a similar position.

This post will describe the basics of a .pypirc file and how to configure and secure it. I originally wrote this post for the Truveris Engineering blog and I am reposting it here for additional reach.

Getting Started

Before proceeding, it's a good idea to make sure that the setuptools and wheel libraries are up to date. The following command will update them if needed:

$ pip install -U setuptools wheel

This post will assume that you have a new Python library that is ready to be published. The source code should be packaged using a command like the one below. Your command may differ slightly depending on the needs of your package.

$ python setup.py sdist bdist_wheel

To read more about creating a distributable Python package, see these docs.

In the next section, I use the twine utility to facilitate the release of my new package. You can read about the benefits of using twine over the built-in packaging tools here. Install twine using the following command:

$ pip install twine

The .pypirc File

There are two main benefits to using a .pypirc file:

  1. It removes the need to enter a username/password when pushing to PyPI.
  2. It simplifies command line usage when pushing packages to a non-default package repository (i.e. anywhere other than pypi.org).

The official documentation on the .pypirc file can be found here. The contents of my .pypirc file can be seen below. This file must be placed in $HOME/.pypirc for pip/twine to use it.

    [distutils]
    index-servers=
        pypi
        testpypi
[pypi]
username: brodan
password: xxxxxxxxxxxxxxxx

[testpypi]
repository: https://test.pypi.org/legacy/
username: brodan
password: yyyyyyyyyyyyyyyy

Keep in mind, pypi.org and test.pypi.org are not integrated, so you’ll need to have a separate account created on each site.

One thing to notice above is that the [pypi] section does not have repository configured, but the testpypi section does. That is because the repository variable defaults to https://upload.pypi.org/legacy/, so it does not need to be included in that section.

Uploading Python Packages

Once the file above is in place, the --repository flag can now be used with twine to specify which package repository your packages will be uploaded to:

If you wish to upload a package to the TestPyPI repository, the following command should be used:

$ twine upload --repository testpypi dist/*

Similarly, once the package is ready to be released to the public, the following should be used:

$ twine upload --repository pypi dist/*

Notice that you won’t be prompted for a password when running either of the above commands. You also no longer need to copy and paste repository URLs into the terminal.

Securing The .pypirc File

Since the .pypirc file is storing sensitive information (i.e. passwords) in plain text, it’s important to set the permissions on this file accordingly so that other users on the system can’t access this file.

To do this, run the following command:

$ chmod 600 ~/.pypirc

The command above will ensure that only the file owner (which should be your own user) can read and write to this file. Additional info on file permissions in UNIX can be found here. Thanks to this StackOverflow answer for help on this section.

Wrapping Up

With a .pypirc file in place the process of pushing Python packages to public repositories is now much easier.

If you have any questions or feedback regarding this post, please reach out to me via email or Twitter. Thanks for reading!


By: Brodan


#python

5 Likes14.35 GEEK